The Hacker News — Cyber Security, Hacking, Technology News

If you're an engineer and use LabVIEW software to design machines or industrial equipments, you should be very suspicious while opening any VI (virtual instrument) file.

LabVIEW, developed by American company National Instruments, is a visual programming language and powerful system-design tool that is being used worldwide in hundreds of fields and provides engineers with a simple environment to build measurement or control systems

Security researchers from Cisco's Talos Security Intelligence have discovered a critical vulnerability in LabVIEW software that could allow attackers to execute malicious code on a target computer, giving them full control of the system.

Identified as CVE-2017-2779, the code execution vulnerability could be triggered by opening a specially crafted VI file, a proprietary file format used by LabVIEW.

The vulnerability originates because of memory corruption issue in the RSRC segment parsing functionality of LabVIEW.

Modulating the values within the RSRC segment of a VI file causes a controlled looping condition, which results in an arbitrary null write.

"An attacker controlled VI file can be used to trigger this vulnerability and can potentially result in code execution."

Talos researchers have successfully tested the vulnerability on LabVIEW 2016 version 16.0, but National Instruments has refused to consider this issue as a vulnerability in their product and had no plans to release any patch to address the flaw.

However, the issue should not be ignored, because the threat vector is almost similar to many previously disclosed Microsoft Office vulnerabilities, in which victims got compromised after opening malicious MS Word file received via an email or downloaded from the Internet.

"The consequences of a successful compromise of a system that interacts with the physical world, such as a data acquisition and control systems, may be critical to safety," the researchers write.

"Organisations that deploy such systems, even as pilot projects, should be aware of the risk posed by vulnerabilities such as these and adequately protect systems."

Since there is no patch available, the LabVIEW users are left with only one option—be very careful while opening any VI file you receive via an email.

For more technical details about the vulnerability, you can head on to Cisco Talos' advisory.

Are you using Foxit PDF Reader? If yes, then you need to watch your back.

Security researchers have discovered two critical zero-day security vulnerabilities in Foxit Reader software that could allow attackers to execute arbitrary code on a targeted computer, if not configured to open files in the Safe Reading Mode.

The first vulnerability (CVE-2017-10951) is a command injection bug discovered by researcher Ariele Caltabiano working with Trend Micro's Zero Day Initiative (ZDI), while the second bug (CVE-2017-10952) is a file write issue found by Offensive Security researcher Steven Seeley.

An attacker can exploit these bugs by sending a specially crafted PDF file to a Foxit user and enticing them to open it.

Foxit refused to patch both the vulnerabilities because they would not work with the "safe reading mode" feature that fortunately comes enabled by default in Foxit Reader.

"Foxit Reader & PhantomPDF has a Safe Reading Mode which is enabled by default to control the running of JavaScript, which can effectively guard against potential vulnerabilities from unauthorized JavaScript actions," the company says.

However, researchers believe building a mitigation doesn't patch the vulnerabilities completely, which if remained unpatched, could be exploited if attackers find a way to bypass safe reading mode in the near future.

Both unpatched vulnerabilities can be triggered through the JavaScript API in Foxit Reader.

CVE-2017-10951: The command injection bug resides in an app.launchURL function that executes strings provided by attackers on the targeted system due to lack of proper validation, as demonstrated in the video given below.

CVE-2017-10952: This vulnerability exists within the "saveAs" JavaScript function that allows attackers to write an arbitrary file on a targeted system at any specific location, as demonstrated in the video given below.

"Steven exploited this vulnerability by embedding an HTA file in the document, then calling saveAS to write it to the startup folder, thus executing arbitrary VBScript code on startup," reads the advisory published by the ZDI.

If you are one of those using Foxit Reader and PhantomPDF, ensure you have the "Safe Reading Mode" feature enabled. Additionally, you can also uncheck the "Enable JavaScript Actions" from Foxit's Preferences menu, although this may break some functionality.

Users are also recommended always to be vigilant while opening any files they received via email. Just recently, we reported how opening a malicious PowerPoint file could compromise your computer with malware.

Update: Foxit Response

Foxit spokesperson has provided the following statement to The Hacker News via an Email:

"Foxit Software is deeply committed to delivering secure PDF products to its customers. Our track record is strong in responding quickly in fixing vulnerabilities. We are currently working to rapidly address the two vulnerabilities reported on the Zero Day Initiative blog and will quickly deliver software improvements. In the meantime, users can help protect themselves by using the Safe Reading Mode."

"We apologize for our initial miscommunication when contacted about these vulnerabilities and are making changes to our procedures to mitigate the probability of it occurring again."

A highly critical vulnerability has been discovered in the Cisco Systems’ WebEx browser extension for Chrome and Firefox, for the second time in this year, which could allow attackers to remotely execute malicious code on a victim's computer.

Cisco WebEx is a popular communication tool for online events, including meetings, webinars and video conferences that help users connect and collaborate with colleagues around the world. The extension has roughly 20 million active users.

Discovered by Tavis Ormandy of Google Project Zero and Cris Neckar of Divergent Security, the remote code execution flaw (CVE-2017-6753) is due to a designing defect in the WebEx browser extension.

To exploit the vulnerability, all an attacker need to do is trick victims into visiting a web page containing specially crafted malicious code through the browser with affected extension installed.

Successful exploitation of this vulnerability could result in the attacker executing arbitrary code with the privileges of the affected browser and gaining control of the affected system.

"I see several problems with the way sanitization works, and have produced a remote code execution exploit to demonstrate them," Ormandy said. "This extension has over 20M [million] active Chrome users alone, FireFox and other browsers are likely to be affected as well."

Cisco has already patched the vulnerability and released “Cisco WebEx Extension 1.0.12” update for Chrome and Firefox browsers that address this issue, though "there are no workarounds that address this vulnerability."

Security researchers have disclosed local zero day DLL hijacking vulnerabilities in several applications developed by Corel Software that could allow an attacker to execute arbitrary commands on victims' computer, potentially affecting more than 100 million users.

The security holes were publicly disclosed by Marcos Accossatto from a vulnerability research firm Core Security after the vendor didn’t respond to his private disclosure about the flaws.

Corel develops wide range of products including graphics, photo, video and other media editing programs. According to the researcher, when a media file associated with one of the vulnerable Corel products is opened, the product also loads a specifically named DLL (Dynamic Link Library) file into memory if it's located in the same directory as the opened media file.

These DLL files contain executable code which could allow an attacker to install malware on victims' computers by inserting malicious DLLs into the same directory as the document.

"Given that this is a client-side vulnerability, affected users should avoid opening untrusted files whose extensions are associated with Corel software and contain any of the [affected] DLL files," Accossatto said in an advisory.

"When a file associated with the Corel software is opened, the directory of that document is first used to locate DLLs, which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document."

VULNERABLE COREL PRODUCTS
At least eight Corel products are all affected by the vulnerabilities including:

CorelDRAW X7

Corel Photo-Paint X7

Corel PaintShop Pro X7

CorelCAD 2014

Corel Painter 2015

Corel PDF Fusion

Corel VideoStudio PRO X7

Corel FastFlick

Corel was warned of the vulnerabilities in its products on December 9, 2014, followed by another email on December 17, 2014 with a request to confirm receiving the previous message. But there was no response from the vendor. The Core team then contacted the company again via Twitter on January 2, but again received no response, hence disclosed it publicly.

STATEMENT FROM TEAM COREL

There are no patches available for the vulnerabilities yet.

"Corel is reviewing its products on a case-by-case basis to safeguard dynamic loading of DLL files, which is a common vulnerability in many Windows applications," said Jessica Gould, senior communications manager for Corel, in a statement Tuesday.

"Corel makes frequent updates to our applications and these changes have been made a priority for the next update of any affected Corel product. We would like to assure our users that we are not aware of any exploits of this issue with our software."

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!